Virginia Voting Machines Have ‘Vulnerability’ to Wireless Sabotage

In this November’s presidential election, Virginia voters will cast ballots on machines that use wireless technology state lawmakers barred five years ago to protect voting machines from hackers. Continued reliability and security concerns over electronic voting are not unique to Virginia, or to machines that use wireless technology, but the case illustrates the credibility issues that have plagued electronic voting machines in use across the country in the aftermath of the messy 2000 presidential election, when the federal government mandated changes to election systems and processes.

Virginia’s election workers in some precincts use the wireless technology to upload ballots and tally vote totals from multiple machines at a polling station. The wireless electronic tallying is an effort to avoid the human error possible in a manual count. Fears that wireless transmission capabilities could present an opening to hackers led Virginia lawmakers to ban the use of the technology in voting machines in 2007. “It makes it easier to hack systems when you have an open interface that can be accessed remotely from outside the polling place, like in a parking lot,” said Jeremy Epstein, a computer researcher who helped draft the state’s legislation to bar wireless from polling stations. “It magnifies any other vulnerability in the voting system.”

Chip Somodevilla/Getty Images

A polling place worker assists a voter with a digital voting machine April 3, 2012 in Potomac, Maryland.

But the ban was modified one year later to allow the use of wireless on machines the state already purchased. The reversal came as the 2008 presidential election neared, after local officials said the ballot machines wouldn’t work without wireless connections, and there was no money to replace them.

The wireless technology is part of the AVS WinVote system, a touch screen voting machine used at 32 of Virginia’s polling localities, where more than a third of the swing state will cast ballots in November. To date, there have been no verified instances of hackers using wireless capabilities to influence the outcome of an election, but advocates – and many lawmakers – believe the potential for such malfeasance combined with the difficulty of verifying vote totals could undermine public confidence in elections.

The state board of elections maintains that the WinVote has “strict security protocols” and its local officials “are confident that with their internal security procedures and logic and accuracy testing, the system has performed as designed,” Nikki Sheridan, a spokeswoman, said in an email.

The continued use of the AVS WinVote in Virginia this year illustrates the trouble facing states that purchased electronic voting machines with federal funds made available by the 2002 Help America Vote Act. The law was intended to encourage states to purchase electronic voting systems and prevent the ambiguity of hanging chads that dogged the Florida results in the 2000 election. But many states like Virginia, Maryland, and New Jersey now have buyer’s remorse over security and reliability concerns.

“Looking at those hanging chads, we felt that anything was better than that,” said Mary Whipple, a former state senator, who initially supported the adoption of the WinVote touch-screen system in 2003. She added that those devices also seemed far easier for some disabled people to use, which is an important component of HAVA.

But the money became available before the federal government fully comprehended potential risks such as security and the reliability of older machines, said Brian Hancock, director of voting system certification at the federal Election Assistance Commission.

That commission, responsible for developing a voluntary certification system for voting machines bought under HAVA, did not come out with a fully updated set of voluntary standards until 2005, long after many states like Virginia had already bought new voting machines.

“People brought up all these issues later but then the money was gone,” Whipple said.

The HAVA grants “put election officials in a bad position – they wanted to spend the money. But the standards just weren’t out there,” said Hancock. “I wouldn’t recommend anyone use wireless technology to tally up vote counts.”

Virginia’s lawmakers shared that concern and after a two year study passed a law barring the use of wireless technology for balloting. The law, which also called for the phasing out of the state’s all-electronic touch screen machines, passed with an overwhelming majority. “An unusual consensus between liberals, conservatives and moderates, a proud moment,” said Republican Delegate Tim Hugo, who led the study group.

Jeannemarie Devolites-Davis, a former-Virginia state senator, said she sponsored the legislation because “there was a real concern that anyone who wanted to could intercept the transmission and interfere with results.”

Epstein, the computer scientist who helped draft the law and co-founded the advocacy group Virginia Verified Voting, testified that wireless technology would make it easier for hackers do more damage and go undetected.

“If you are attacking machines by physically going into a polling place, you have to do them one at a time, and there are opportunities to get caught,” Epstein said. ”Wirelessly you could affect all the machines in a polling place or in a precinct by driving from one location to the next.”

The 2007 Virginia law entirely barred voting machines from communicating wirelessly. But with the presidential vote coming in 2008, election officials said the AVS WinVote machines were not able to function if the capability was shut off. Calls to reach Howard Van Pelt, CEO of Advanced Voting Solutions – the Frisco, Texas-based firm that sold the system, found the company’s listed number disconnected. Officials say the company has been non-operational for around four years.

“The real world intervened,” said Whipple, the former Virginia state senator who sponsored legislation in 2008 once again allowing wireless to be used in machines already purchased. “As a practical manner, they weren’t going to be able to manage the elections” unless the wireless capabilities were intact.

The plan was changed to allow wireless until WinVote machines broke and could be replaced. But four years, and one presidential election later, the systems may still be used by over a million voters, according to data posted to Virginia’s Board of Elections.

Local election officials, Hugo said, “are trying to eke out as much longevity,” from the machines as possible to save money. The cost for an immediate replacement “would be huge.” Though Hugo wishes the machines could be phased out faster, he believes that the chance of a wireless attack is remote.

Still, hacker attacks have only become more sophisticated in the five years since the wireless ban was passed and then changed. “The defenses have not improved over the past five years and the risks have gotten much worse,” Epstein said.

Other states like New Jersey and Maryland are now facing buyer’s remorse over machines purchased with HAVA money. Both now have laws to replace or modify current electronic ballot systems that don’t create a verifiable paper trail for recounts, because voters fear their votes are being improperly tallied. But, like Virginia, neither state has the funds to make the change and it’s unclear when they will.